Adding STARTTLS support to users_ldap
lp bug: https://launchpad.net/bugs/389033 fixed bzr revid: ian@catalyst.net.nz-20110811001429-j62yn9uz1g2o9j9c
This commit is contained in:
parent
6adef2a895
commit
949fa9cdd8
|
@ -49,6 +49,12 @@ anonymous authentication for users, it is only for the master
|
|||
LDAP account that is used to verify if a user exists before
|
||||
attempting to authenticate it.
|
||||
|
||||
Securing the connection with STARTTLS is available for LDAP
|
||||
servers support STARTTLS. The default is to require STARTTLS.
|
||||
Configuration of the LDAP connection (certificates etc) should
|
||||
be done through ``/etc/ldap/ldap.conf`` (or distribution
|
||||
specific location).
|
||||
|
||||
Security Considerations
|
||||
+++++++++++++++++++++++
|
||||
Users' LDAP passwords are never stored in the OpenERP database,
|
||||
|
@ -77,6 +83,9 @@ OpenERP database (which means no access), the first step
|
|||
always fails and the LDAP server is queried to do the
|
||||
authentication.
|
||||
|
||||
Enabling STARTTLS ensures that the authentication query to the
|
||||
LDAP server is encrypted.
|
||||
|
||||
User Template
|
||||
+++++++++++++
|
||||
In the LDAP configuration on the Company form, it is possible to
|
||||
|
|
|
@ -50,7 +50,8 @@ class CompanyLDAP(osv.osv):
|
|||
args = []
|
||||
cr.execute("""
|
||||
SELECT id, company, ldap_server, ldap_server_port, ldap_binddn,
|
||||
ldap_password, ldap_filter, ldap_base, "user", create_user
|
||||
ldap_password, ldap_filter, ldap_base, "user", create_user,
|
||||
ldap_tls
|
||||
FROM res_company_ldap
|
||||
WHERE ldap_server != '' """ + id_clause + """ ORDER BY sequence
|
||||
""", args)
|
||||
|
@ -94,6 +95,8 @@ class CompanyLDAP(osv.osv):
|
|||
if results and len(results) == 1:
|
||||
dn = results[0][0]
|
||||
conn = self.connect(conf)
|
||||
if conf['ldap_tls']:
|
||||
conn.start_tls_s()
|
||||
conn.simple_bind_s(dn, password)
|
||||
conn.unbind()
|
||||
entry = results[0]
|
||||
|
@ -131,6 +134,8 @@ class CompanyLDAP(osv.osv):
|
|||
logger = logging.getLogger('orm.ldap')
|
||||
try:
|
||||
conn = self.connect(conf)
|
||||
if conf['ldap_tls']:
|
||||
conn.start_tls_s()
|
||||
conn.simple_bind_s(conf['ldap_binddn'] or '',
|
||||
conf['ldap_password'] or '')
|
||||
results = conn.search_st(conf['ldap_base'], ldap.SCOPE_SUBTREE,
|
||||
|
@ -211,12 +216,15 @@ class CompanyLDAP(osv.osv):
|
|||
help="Model used for user creation"),
|
||||
'create_user': fields.boolean('Create user',
|
||||
help="Create the user if not in database"),
|
||||
'ldap_tls': fields.boolean('Use TLS',
|
||||
help="Use STARTTLS to connect to the LDAP server"),
|
||||
}
|
||||
_defaults = {
|
||||
'ldap_server': '127.0.0.1',
|
||||
'ldap_server_port': 389,
|
||||
'sequence': 10,
|
||||
'create_user': True,
|
||||
'ldap_tls': True,
|
||||
}
|
||||
|
||||
CompanyLDAP()
|
||||
|
|
|
@ -20,12 +20,14 @@
|
|||
<field name="user"/>
|
||||
<newline/>
|
||||
<field name="sequence"/>
|
||||
<field name="ldap_tls"/>
|
||||
</form>
|
||||
<tree string="LDAP Configuration">
|
||||
<field name="sequence"/>
|
||||
<field name="ldap_server"/>
|
||||
<field name="ldap_server_port"/>
|
||||
<field name="ldap_base"/>
|
||||
<field name="ldap_tls"/>
|
||||
</tree>
|
||||
</field>
|
||||
</xpath>
|
||||
|
|
Loading…
Reference in New Issue